worm blog: Early Detection Of Active Internet Worms

« Optimising Malware | Main | A Theoretical Superworm »

Early Detection Of Active Internet Worms

This is a paper from a few years ago that looks at the detection of a worm through failed reply traffic.

An active Internet worm is malicious software that autonomously searches for and infects vulnerable hosts, copying itself from one host to another and spreading through the susceptible population. Most recent worms find vulnerable hosts by generating random IP addresses and then probing those addresses to see which are running the desired vulnerable services. Detection of such worms is a manual process in which security analysts must observe and analyze unusual network or host activity, and the worm might not be positively identified until it already has spread to most of the Internet. In this chapter, we present an automated system that can identify active scanning worms soon after they begin to spread, a necessary precursor to halting or slowing the spread of the worm. Our implemented system collects ICMP Destination Unreachable messages from instrumented routers, identifies message patterns that indicate malicious scanning activity, and then identifies scan patterns that indicate a propagating worm. We examine an epidemic model for worm propagation, describe our ICMP-based detection system, and present simulation results that illustrate its detection capabilities.

Early Detection Of Active Internet Worms, Vincent H. Berk, George V. Cybenko and Robert S. Gray. You may remember that Berk has done a low of work on using ICMP unreachable messages to detect worm activity.

Work's been very busy, so I haven't had a lot of time to post.

October 3, 2006 in detection, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit